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DETAILED ACTION 

1 . In view of the appeal brief filed on July 23, 2008, PROSECUTION IS HEREBY 
REOPENED. New grounds of rejection are set forth below. 

To avoid abandonment of the application, appellant must exercise one of the 
following two options: 

(1 ) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply 
under 37 CFR 1 .1 13 (if this Office action is final); or, 

(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41 .31 followed 
by an appeal brief under 37 CFR 41 .37. The previously paid notice of appeal fee and 
appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth 
in 37 CFR 41 .20 have been increased since they were previously paid, then appellant 
must pay the difference between the increased fees and the amount previously paid. 

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by 
signing below: 

/Gilberto Barron Jr/ 

Supervisory Patent Examiner, Art Unit 2132 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 
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3. Claims 1-10, 12, 17 and 35 are rejected under 35 U.S.C. 102(b) as being 
anticipated by Lermuzeaux et al's US Patent 5,621 ,889. Referring to claim 1 , 
Lermuzeaux teaches: 

a. Access control devices for the computer network that control 
communications between compartments of the computer network (column 6, 
lines 38-40). 

b. Attack detection system for determining whether the computer network 
may be under attack (column 12, lines 52-63). 

c. A control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network (column 
13, lines 3-13) based on a usage model describing legitimate network 
communications (column 8,lines 59-64) while restricting other network 
communications between the compartments, in response to attack (column 7, 
lines 5-13). 

4. Referring to claim 2, Lermuzeaux teaches that the computer network is an 
enterprise network (column 1, lines 26-30). 

5. Referring to claim 3, Lermuzeaux discloses a system as claimed in claim 1 , but 
does not explicitly disclose wherein the computer network is a service provider network. 
The Examiner argues that the method of network profiling could be used on any 
network concerned with monitoring communications, moreover, nothing in Lermuzeaux 
precludes the method from being embodied in a service provider network, thus this 
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would have been an obvious modification over Lermuzeaux, as would have been readily 
apparent to one of ordinary skill in the art. 

6. Referring to claim 4, Lermuzeaux discloses a system as claimed in claim 1, but 
does not explicitly disclose wherein the computer network is a public network. The 
Examiner argues that the method of network profiling could be used on any network 
concerned with monitoring communications, moreover, nothing in Lermuzeaux 
precludes the method from being embodied in a public network, thus this would have 
been an obvious modification over Lermuzeaux, as would have been readily apparent to 
one of ordinary skill in the art. 

7. Referring to claim 5, Lermuzeaux teaches compartmentalizing the computer 
network into separate sub-networks of network devices (Figure 2). 

8. Referring to claim 6, Lermuzeaux teaches that the access control devices 
separate host computers from the computer network (Figure 2). 

9. Referring to claim 7, Lermuzeaux teaches a network modeling system for 
generating the usage model (column 8, lines 59-64). 

10. Referring to claim 8, Lermuzeaux teaches the network modeling system 
receiving flow information describing communications between network devices (column 

7, lines 31-43). 

1 1 . Referring to claim 9, Lermuzeaux teaches that the flow information is collected by 
network communication devices (column 6, lines 62-64). 

1 2. Referring to claim 1 0, Lermuzeaux teaches that the flow information is collected 
by access control devices (column 6, lines 60-61). 
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1 3. Referring to claim 1 2, Lermuzeaux teaches comparing new network 
communications to the usage model and updates the usage model if the new network 
communications are not described by the usage model (column 13, lines 56-59). 

14. Referring to claim 17, Lermuzeaux teaches performing heuristic modeling to 
determine whether the computer network is under attack (column 14, line 66-column 15, 
line 1). 

15. Referring to claim 35, Lermuzeaux teaches: 

d. Access control devices for the computer network that control 
communications between compartments of the computer network (column 6, 
lines 38-40). 

e. Attack detection system for determining whether the computer network 
may be under attack (column 12, lines 52-63). 

f. A control plane for instructing the access control devices to only allow 
network communications between the host computers in different compartments 
of the computer network (column 13, lines 3-13) based on a usage model 
describing legitimate network communications (column 8, lines 59-64) while 
restricting all other network communications between the host computers, in 
response to attack (column 7, lines 5-13). 

16. Claims 11, 16,19-23, 25-31 and 34 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Lermuzeaux and further in view of Yadav. 

17. As per claim 1 1 , Lermuzeaux discloses a system as claimed in claim 8, but does 
not disclose wherein the network modeling system discards flow information between 
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network devices in the computer network and network devices external to the computer 
network. The examiner argues that it would have been obvious for one of ordinary skill 
in the art to modify Lermuzeaux to include wherein only communications within the 
network were examined, moreover the Examiner admits Yadav for also disclosing this 
feature. 

18. Yadav discloses a method of network intrusion detection wherein the access 
control component resides on a networked machine [0022] and fig. 2b, wherein the 
network may be a single network wherein communications from within the network are 
only monitored for attack/intrusion (as discussed in [0002] and [0005]). Yadav is 
analogous art because it is directed to a method of intrusion detection in a network. It 
would have been obvious to supplement Lermuzeaux to include wherein only flow 
information between internal network devices was monitored. Motivation for one of 
ordinary skill in the art to modify Copeland as discussed above would have been to 
implement the method wherein it is desirable to detect for intrusion attacks only within 
the network devices as may be desirable for certain single networks, as would have 
been obvious to one of ordinary skill in the art and as is implied as a choice embodiment 
in [0002] and [0005] of Yadav. 

1 9. As per claims 1 6 and 30, Lermuzeaux discloses a system as claimed in claim 1 , 
but does not explicitly disclose wherein the attack detection system monitors 
communications over the computer network for attack using signature detection. 

20. Yadav discloses such a method of detecting intrusion based on signature 
analysis ([0032]). Yadav is analogous art because it is directed to a method of network 
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intrusion detection. It would have been obvious to modify Lermuzeaux to include a 
method of detecting intrusion based on signature attacks. Motivation for modifying 
Lermuzeaux as discussed above would have been readily apparent to one of ordinary 
skill in the art, as it is a well-known and common method to scan for known intrusion 
behavior. 

21 . As per claim 19, Lermuzeaux discloses a system as claimed in claim 1 , as well 
as generating pass rules based on the usage model (column 2, lines 17-27). 
Lermuzeaux does not explicitly disclose wherein the control plane receives protocol 
information and/or port information characteristic of the attack and generates blocking 
rules for the access control devices. However, Yadav discloses such a method wherein 
pass/blocking rules are generated for the access control devices ([0028]). Motivation 
for modifying Lermuzeaux to include generating pass/blocking rules based on protocol 
or port information would have been well known and understood by one of ordinary skill 
in view of Lermuzeaux, as it is a necessary feature. 

22. As per claims 20 and 34, Lermuzeaux discloses a system as claimed in claim 1 , 
as well as generating pass rules based on the usage model (column 2, lines 17-27). 
Lermuzeaux does not explicitly disclose wherein the control plane receives protocol 
information and/or port information characteristic of the attack and generates blocking 
rules for the access control devices, in which the blocking rules are generated from the 
protocol information and/or port information characteristic of the attack [0028] and 
[0029]. Motivation for modifying Lermuzeaux to include generating pass/blocking rules 
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based on protocol or port information would have been well known and understood by 
one of ordinary skill in view of Lermuzeaux, as it is a necessary feature. 

23. As per claim 21 , Lermuzeaux discloses: 

g. Generating a usage model for the computer network (column 8, lines 59- 
64). 

h. Determining whether the computer network may be under attack (column 
12, lines 52-63). 

i. In response to detecting an attack, determining characteristics of the 

attack (column 14, lines 6-7). 

j. Generating instruction to the access control device compartmentalizing 
the computer network in response to the characteristics of the attack (column 14, 
lines 55-58) including generating pass rules (column 2, lines 17-27). 
k. Issuing instructions to the access control device (column 6, lines 52-54). 

24. Lermuzeaux does not explicitly disclose generating the pass/blocking rules for 
the access control in response to protocol characteristics and/or port characteristics. 
However, Yadav disclose such a method wherein pass/blocking rules are generated for 
the access control devices ([0028]). Motivation for modifying Lermuzeaux to include 
generating pass/blocking rules based on protocol or port information would have been 
well known and understood by one of ordinary skill in view of Lermuzeaux, as it is a 
necessary feature. 
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25. Referring to claims 22 and 23, Lermuzeaux teaches the network modeling 
system saving records describing network communications to and from network devices 
(column 7, lines 31-43). 

26. Referring to claim 25, Lermuzeaux teaches compartmentalizing the computer 
network into separate sub-networks of network devices (Figure 2). 

27. Referring to claim 26, Lermuzeaux teaches that the access control devices 
separate host computers from the computer network (Figure 2). 

28. Referring to claim 27 Lermuzeaux teaches: 

I. Collecting flow information at network communications devices (column 
7,lines 31-37). 

m. Passing flow information to a network modeling system (column 8, lines 
59-64). 

29. Referring to claim 28, Lermuzeaux teaches that the flow information is collected 
by access control devices (column 6, lines 60-61). 

30. Referring to claim 29, Lermuzeaux teaches comparing new network 
communications to the usage model and updates the usage model if the new network 
communications are not described by the usage model (column 13, lines 56-59). 

31 . Referring to claim 31 , Lermuzeaux teaches performing heuristic modeling to 
determine whether the computer network is under attack (column 14, line 66-column 15, 
line 1). 

32. Claim 34 is rejected because it discloses substantially similar subject matter to 
claim 20 respectively. 
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33. Claims 13, 14, and 18 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lermuzeaux as applied above, and further in view of Copeland. 
Referring to claims 13, Lermuzeaux discloses all the limitations of the parent claim. 
Lermuzeaux does not explicitly disclose that the usage model comprises source and 
destination port and addresses derived from network communications. However, 
Copeland discloses storing the source and destination addresses and port numbers 
(page 4, paragraphs 53-56). Lermuzeaux and Copeland are analogous art because 
they are from the same field of endeavor, intrusion detection. At the time of the 
invention, it would have been obvious to one of ordinary skill in the art, having the 
teachings of Lermuzeaux and Copeland before him or her, to modify the system of 
Lermuzeaux to include the address and port numbers of Copeland. The 
suggestion/motivation for doing so would have been to recognize legitimate flows (page 
4, paragraph 53). 

34. Referring to claim 14, Lermuzeaux teaches time stamping the data information 
(column 6, lines 23-25). 

35. Referring to claim 18, Lermuzeaux discloses all the limitations of the parent 
claim. Lermuzeaux does not explicitly disclose determining whether the network may be 
under attack by monitoring changes in connections between network devices. However, 
Copeland discloses the attack detection system monitors communications over the 
computer network for attack by monitoring changes in connections between network 
devices (page 4, paragraph 55). Lermuzeaux and Copeland are analogous art because 
they are from the same field of endeavor, intrusion detection. At the time of the 
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invention, it would have been obvious to one of ordinary sl<ill in tlie art, liaving the 
teachings of Lermuzeaux and Copeland before him or her, to modify the system of 
Lermuzeaux to include the connection monitoring of Copeland. The 
suggestion/motivation for doing so would have been to recognize legitimate connections 

and flows (page 4, paragraph 53). 

36. Claim 15 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Lermuzeaux in view of Copeland and further in view of Day. 

37. As per claim 1 5, Lermuzeaux in view of Copeland discloses a system as claimed 
in claim 1 , wherein entries in the usage model comprise source addresses, destination 
addresses, source ports, and destination ports derived from the network 
communications ([0054]-[0056]) but does not specifically disclose additionally storing 
frequency information indicating a frequency of the network communication. The 
Examiner argues that the profiling references each communication thus frequency 
determination may be made based on the stored table. 

38. Moreover, Day discloses a method of detecting network intrusion wherein 
frequency data of a specific field is stored in addition to address, port and protocol 
information (column 8 lines 26-50). Day is analogous art because it is direct to a 
method of network intrusion detection. It would have been obvious for one of ordinary 
skill in the art to modify Lermuzeaux in view of Copeland to include storing frequency 
data relating to a particular communication instance. Motivation for modifying 
Lermuzeaux in view of Copeland as discussed above would have been to enhance the 
profiling of network activity by calculating historical data for frequency of a 
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communication, as it is well known to one of ordinary skill that a single communication 
may not raise alarm, however if a plurality of the same communication is evident 
beyond a certain threshold this may be an alarming event. 

39. Claims 24 and 32 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Lermuzeaux In view of Yadav as applied above, and further in view of Copeland. 
Referring to claim 24, Lermuzeaux in view of Yadav discloses all the limitations of the 
parent claim. Lermuzeaux in view of Yadav does not explicitly disclose that the usage 
model comprises source and destination port and addresses derived from network 
communications. However, Copeland discloses storing the source and destination 
addresses and port numbers (page 4, paragraphs 53-56). Lermuzeaux In view of Yadav 
and Copeland are analogous art because they are from the same field of endeavor, 
intrusion detection. At the time of the invention, it would have been obvious to one of 
ordinary skill In the art, having the teachings of Lermuzeaux In view of Yadav and 
Copeland before him or her, to modify the system of Lermuzeaux in view of Yadav to 
include the address and port numbers of Copeland. The suggestion/motivation for doing 
so would have been to recognize legitimate flows (page 4, paragraph 53). 

40. Referring to claim 32, Lermuzeaux In view of Yadav discloses all the limitations 
of the parent claim. Lermuzeaux In view of Yadav does not explicitly disclose monitoring 
the network connections for a potential attack. However, Copeland discloses the attack 
detection system monitors communications over the computer network for attack by 
monitoring changes in connections between network devices (page 4, paragraph 55). 
Lermuzeaux in view of Yadav and Copeland are analogous art because they are from 
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the same field of endeavor, intrusion detection. At the time of the invention, it would 
have been obvious to one of ordinary skill in the art, having the teachings of 
Lermuzeaux in view of Yadav and Copeland before him or her, to modify the system of 
Lermuzeaux in view of Yadav to include the connection monitoring of Copeland. The 
suggestion/motivation for doing so would have been to recognize legitimate connections 
and flows (page 4, paragraph 53). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CORDELIA KANE whose telephone number is 
(571 )272-7771 . The examiner can normally be reached on Monday - Thursday 8:00 - 
5:00 EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/C. K./ 

Examiner, Art Unit 2132 
/Gilberto Barron Jr/ 

Supervisory Patent Examiner, Art Unit 2132 



